On (06/17/16 08:43), Linda Dunbar wrote: > Sowmini, > > You said: > "However, applying IPsec to specific flows (e.g., those defined by a src > or dst port on which the service listens) is important." > > What is the current operation procedure for Overlay network to inform the > underlay network on which flows to go through IPSec channel? > You said: > "..But that also made me wonder about the interaction between IPsec/IKE > and the proposed BGP FS (IPsec is frequently used between end-systems that > do not want to run a BGP daemon). Since the config information that needs > to be distributed are things like keys, algorithms etc to populate the > sadb/spd, IKE looks more appropriate in most cases." > > Does the underlay network controller get some information (or hint from > the Overlay network controller) on how the keys are configured for the > IPSec tunnel for the specific flows among the Overlay nodes?
there are 2 aspects to this - for the underlay network, as nodes/NVEs appear, the controller needs to update the relevant nodes, because, as you pointed out, ipsec SAs are between 2 end-points, so all the needed pair-wise associations need to be set up. - overlay -> underlay communication- overlay network needs some way to tell the underlay which flows need to the ipsec transforms (and what ipsec config params to use for those transforms). At the moment we have a simplistic model for achieving this, but this obviously needs to scale. One way would be by orchestrating this via some management connection to the controller. --Sowmini _______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf